From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH] sssd: Update to version 2.9.2-1 Date: Thu, 21 Sep 2023 18:05:52 +0100 Message-ID: <1DC37608-BF70-4655-982F-FF662BA76ECE@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6316574857379845032==" List-Id: --===============6316574857379845032== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello Adolf, Yes, this used to be a problem because of a compiler bug in GCC. This afternoon I asked Stefan to have a look at this since he has resolved th= is before, but it looks like updating the packages does the job as well. I merged your patchset, tested it and it works. So I pushed it just now and h= opefully a couple more packages should build as they are waiting for a workin= g version of libtalloc, etc. Best, -Michael > On 21 Sep 2023, at 10:17, Adolf Belka wrote: >=20 > Hi All, >=20 > I see that the x86_64 build of sssd is failing due to lack of > libldb-devel and the aarch64 due to lack of > libtalloc-devel >=20 > Both are listed in the requires section. On my local build system I initial= ly had the same message about libldb-devel but I then cleared my cache and re= built sssd, which forced building of all the other packages and then sssd bui= lt without any problems. >=20 > This might be the problem we had occasionally over the weekend where the pa= kfire build took the wrong version or didn't build all the dependencies corre= ctly. >=20 > I am currently working on samba and that is requiring newer versions of lib= talloc and libldb and a few others so when i have that working and submitted = those dependencies will be newer. Maybe that will also help with sssd. >=20 > Regards, >=20 > Adolf. >=20 >=20 > On 20/09/2023 22:44, Adolf Belka wrote: >> - IPFire-3.x >> - Update from version 2.8.2-2 to 2.9.2-1 >> - version 2.8.2-2 was failing to build. >> - Initially version 2.9.2-1 failed with the same error messages. >> /usr/lib/sssd/sss_analyze [INVALID-INTERPRETER] >> There was also the following two messages in the log >> "/usr/lib/sssd/sss_analyze: Found command python ((null)) >> /usr/lib/sssd/sss_analyze: Could not find path for command python" >> Based on the above error I checked sss_analyze and found the following f= irst line >> "#!/usr/bin/env python" but the python program in IPFire is called pyth= on3 >> Added the sed line to change python to python3 and the build then was su= ccessful. >> - Changelog >> 2.9.2 >> Highlights >> SSSD 2.9 branch is now in long-term maintenance (LTM) phase. >> General information >> libkrb5-1.21 can now be used to build PAC plugin. >> sssctl cert-show and cert-show cert-eval-rule can now be run as non-ro= ot >> user. >> Important fixes >> SSSD does no longer crash if PIN is introduced but the tactile trigger >> isn=E2=80=99t pressed during passkey authentication. >> SSSD can now recover if memory-cache files under /var/lib/sss/mc where >> truncated while SSSD is running. >> Chaining of identical D-Bus requests that run in parallel to avoid >> multiple backend queries works again. >> Configuration changes >> New option local_auth_policy is added to control which offline >> authentication methods will be enabled by SSSD. This option is releva= nt >> for authentication methods which have online, and offline capability >> such as passkey, and smartcard authentication. The default value match >> sets the offline methods to their corresponding online value. This >> enables offline authentication when online kerberos pre-authentication >> such as PKINIT, or passkey is supported by the backend, note that >> online methods will still be attempted first. Option value only can be >> used to disable online authentication entirely, or the value >> enable:method to explicitly enable specific authentication methods, >> e.g. enable:passkey. >> Tickets Fixed >> #5198 - monatomically should have been monotonically >> #6733 - New covscan errors in =E2=80=98passkey=E2=80=99 code >> #6802 - sss_certmap_test fail in v2.9.1 on Arch Linux >> #6803 - [sssd] SSSD enters failed state after heavy load in the system >> #6889 - Crash in pam_passkey_auth_done >> #6911 - SBUS chaining is broken for getAccountInfo and other internal >> D-Bus calls >> 2.9.1 >> New features >> Passkey: added option to write key mapping data to file. >> Important fixes >> A regression was fixed that prevented autofs lookups to function >> correctly when cache_first is set to True. Since this was set as a >> new default value in sssd-2.9.0, it is considered as a regression. >> A regression where SSSD failed to properly watch for changes in >> =E2=80=98/etc/resolv.conf=E2=80=99 when it was a symbolic link or was= a relative path, >> was fixed. >> Tickets Fixed >> #6442 - PAC errors when no PAC configured >> #6652 - IPA: previously cached netgroup member is not remove correctly >> after it is removed from ipa >> #6659 - sssd_be segfault at 0 ip 00007f16b5fcab7e sp 00007fffc1cc0988 >> error 4 in libc-2.28.so[7f16b5e72000+1bc000] >> #6718 - file_watch-tests fail in v2.9.0 on Arch Linux >> #6720 - [sssd] User lookup on IPA client fails with =E2=80=98s2n get_f= qlist >> request failed=E2=80=99 >> #6739 - autofs mounts: Access to non-existent file very slow since 2.9= .0 >> #6744 - sssd-be tends to run out of system resources, hitting the >> maximum number of open files >> #6766 - [RHEL8] sssd : AD user login problem when modify >> ldap_user_name=3D name and restricted by GPO Policy >> #6768 - [RHEL8] sssd attempts LDAP password modify extended op after >> BIND failure >> 2.9.0 >> General information >> sss_simpleifp library is deprecated and might be removed in further >> releases. Those who are interested to keep using it awhile should >> configure its build explicitly using --with-libsifp ./configure optio= n. >> =E2=80=9CFiles provider=E2=80=9D (i.e. id_provider =3D files) is depre= cated and might be >> removed in further releases. Those who are interested to keep using it >> awhile should configure its build explicitly using >> --with-files-provider ./configure option. Or consider using >> =E2=80=9CProxy provider=E2=80=9D with proxy_lib_name =3D files instea= d. >> Previously deprecated --enable-files-domain configure option, which was >> used to manage default value of the enable_files_domain config option, >> is now removed. >> Long time unused =E2=80=98=E2=80=93enable-all-experimental-features=E2= =80=99 configure option >> was removed. >> SSSD will no longer warn about changed defaults when using >> ldap_schema =3D rfc2307 and default autofs mapping. This warning was >> introduced in 1.14 to loudly warn about different default values. >> New features >> New passkey functionality, which will allow the use of FIDO2 compliant >> devices to authenticate a centrally managed user locally. Moreover, in >> the case of a FreeIPA user, it can also issue a Kerberos ticket >> automatically with upcoming FreeIPA version 4.11. >> Add support for ldapi:// URLs to allow connections to local LDAP serve= rs >> NSS IDMAP has two new methods: getsidbyusername and getsidbygroupname >> Note: support for passkey is in its initial phase and the authentication >> policy will be adjusted in future versions. >> Packaging changes for passkey >> Include passkey subpackage and dependency for libfido2. >> Configuration changes for passkey >> New options to enable and tune passkey behavior: pam_passkey_auth, >> ldap_user_passkey, passkey_verification, passkey_child_timeout, >> interactive, interactive_prompt, touch and touch_prompt. >> --with-passkey is a new configuration option to enable building passkey >> authentication. >> Important fixes >> A regression when running sss_cache when no SSSD domain is enabled >> would produce a syslog critical message was fixed. >> Configuration changes >> Default value of cache_first option was changed to true in case SSSD >> is built without files provider. >> ipa_access_order parameter introduced. It behaves much like >> ldap_access_order but affects IPA domains (id_provider =3D ipa) and >> accepts limited values. Please see sssd-ipa(5) for more information. >> Tickets Fixed >> #5390 - sssd failing to register dynamic DNS addresses against an AD >> server due to unnecessary DNS search >> #6383 - sssd is not waiting for network-online.target >> #6403 - Add new Active Directory related certificate mapping templates >> #6404 - [RFE] Add digest mapping feature from pam_pkcs11 in SSSD >> #6451 - UPN check cannot be disabled explicitly but requires >> krb5_validate =3D false=E2=80=99 as a work-around >> #6479 - Smart Card auth does not work with p11_uri >> (with-smartcard-required) >> #5080 - [RFE] - Show password expiration warning when IdM users login >> with SSH keys >> #5390 - sssd failing to register dynamic DNS addresses against an AD >> server due to unnecessary DNS search >> #6228 - Enable passkey authentication in a centralized environment >> #6324 - coredump occurs when I restart sssd-ifp.service with >> sssd.service is inactive >> #6357 - KCM erroneously changes primary cache when renewing credentials >> #6360 - [D-Bus] ListByName() returns several times the same entry >> #6361 - [D-Bus] ListByName() fails when not using wildcards >> #6383 - sssd is not waiting for network-online.target >> #6387 - Fatal errors in log during Anaconda installation: >> =E2=80=9CCRIT sss_cache:No domains configured, fatal error!=E2=80=9D >> #6398 - [D-Bus] Groups.ListByName() and Groups.ListByDomainAndName() >> not working >> #6403 - Add new Active Directory related certificate mapping templates >> #6404 - [RFE] Add digest mapping feature from pam_pkcs11 in SSSD >> #6451 - UPN check cannot be disabled explicitly but requires >> krb5_validate =3D false=E2=80=99 as a work-around >> #6465 - SBUS:A core dump occurs when dbus_server_get_address() >> #6477 - changing password with ldap_password_policy =3D shadow does not >> take effect immediately >> #6479 - Smart Card auth does not work with p11_uri >> (with-smartcard-required) >> #6487 - implicit declaration of function fgetpwent in test_negcache_2.c >> #6505 - SSS_CLIENT: general library destructor should cancel >> thread-at-exit destructors >> #6531 - FAST/OTP with Anonymous PKINIT - oddly requires a keytab to >> exist (can be a bogus keytab) >> #6544 - AD: Nested group processing can fail or return invalid members >> (security issue) >> #6548 - sssd-ipa >> #6551 - passkey_child cannot be used to register passkey due to too >> strict permissions >> #6558 - enabling passkey authentication breaks idp support >> #6565 - Improvement: sss_client: add =E2=80=98getsidbyusername()=E2=80= =99 and >> =E2=80=98getsidbygroupname()=E2=80=99 and corresponding python bindings >> #6588 - Integration Tests=EF=BC=9AThe sssd_hosts module is missing in = release >> tarball >> #6592 - pid wrapping caused sss_cli_check_socket to close the file >> descriptor opened by the process >> #6600 - [sssd] Auth fails if client cannot speak to forest root domain >> (ldap_sasl_interactive_bind_s failed) >> #6610 - BUILD: Clear compilation alarms. >> #6612 - MIT Kerberos confusion over password expiry >> #6617 - filter_groups doesn=E2=80=99t filter GID from =E2=80=98id=E2= =80=99 output: AD + >> =E2=80=98ldap_id_mapping =3D True=E2=80=99 corner case >> #6626 - Unable to lookup AD user from child domain >> (or =E2=80=9Cmake filtering of the domains more configurable=E2=80=9D) >> #6635 - sss allows extraneous @ characters prefixed to username >> Signed-off-by: Adolf Belka >> --- >> sssd/sssd.nm | 7 +++++-- >> 1 file changed, 5 insertions(+), 2 deletions(-) >> diff --git a/sssd/sssd.nm b/sssd/sssd.nm >> index 90d804469..5f3a4ecd4 100644 >> --- a/sssd/sssd.nm >> +++ b/sssd/sssd.nm >> @@ -4,8 +4,8 @@ >> #########################################################################= ###### >> name =3D sssd >> -version =3D 2.8.2 >> -release =3D 2 >> +version =3D 2.9.2 >> +release =3D 1 >> groups =3D System/Tools >> url =3D https://github.com/SSSD/sssd >> @@ -95,6 +95,9 @@ build >> # Drop /var/run >> rm -rvf %{BUILDROOT}%{localstatedir}/run >> +=20 >> + # Change python to python3 in sss_analyze file >> + sed -i 's|#!/usr/bin/env python|#!/usr/bin/env python3|g' %{BUILDROOT}/u= sr/lib/sssd/sss_analyze >> end >> end >> =20 >=20 > --=20 > Sent from my laptop --===============6316574857379845032==--